Vulnerability??!!

Scferg · helmikuu 10, 2008, 12:31:12 AP

Um...I was pointed out by somebody that if you type in:
FORUM-DIRECTORY/index.php~ it'll reveal the whole index.php source.

Did I miss something and should have deleted it?

Scferg · helmikuu 10, 2008, 12:34:14 AP

Well, when I type it in for my forum...it shows the whole code.... like I described

In my forum directory, there's a index.php~ file

vbgamer45 · helmikuu 10, 2008, 12:37:45 AP

It depends on your server configuration and for some configurations it may allow those files to be displayed. This normally is not a security issue unless you have password's or other information that you wish not to share in those files. The ~ are only created if a mod/upgrade package updates those files.

Scferg · helmikuu 10, 2008, 12:38:29 AP

It is chmodded to 666. And it won't allow me to change the permissions. Should I delete it?

Scferg · helmikuu 10, 2008, 12:39:23 AP

I'll just back those files up, delete them and see what happens.

vbgamer45 · helmikuu 10, 2008, 12:41:21 AP

I wouldn't delete them then you can't unistall the mods.
It really issn't a security issue unless you have custom code you do not want to share. Since anyone can download a copy of the SMF code.

Scferg · helmikuu 10, 2008, 12:42:23 AP

Is there any way I could just hide them from the public?

vbgamer45 · helmikuu 10, 2008, 12:44:19 AP

Might want to talk to your host about their configuration if they can block ~ files from being shown or write an htaccess script to deny access to them.

Scferg · helmikuu 10, 2008, 12:46:30 AP

Ok, thanks!

I was panicked for a bit

Grudge · helmikuu 10, 2008, 04:54:00 AP

For info you can disable backups from the packages -> options menu if you prefer.

Scferg · helmikuu 10, 2008, 01:18:11 IP

Ok, thanks

青山素子 · helmikuu 10, 2008, 01:34:51 IP

If you are on Apache and can use an htaccess file, adding this should stop external access of the files:

Koodi [Valitse]


<FilesMatch "\.(php~)$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

Note I didn't get a chance to test this.

Also, being able to see the source of these backup files isn't a security issue in and of itself. It only becomes an issue if you embed passwords and the like in the SMF source, which is a very bad practice.

Scferg · helmikuu 10, 2008, 01:36:42 IP

I checked through that whole code for passwords. I know I didn't add anything into that code, but I just wanted to make sure.

青山素子 · helmikuu 10, 2008, 01:39:12 IP

The only file that SMF uses to store info for database passwords is Settings.php, and it is backed up to Settings_bak.php to prevent the contents from being shown.

As a warning, if you use an editor directly on the shell of the server, some programs will create a similar backup. This means if you edit Settings.php directly on the server, you might encounter an issue. Just remember to check afterwards if you do this.

Scferg · helmikuu 10, 2008, 01:42:10 IP

Ok -- thanks!

Simple Machines Community Forum

Uutiset:

Vulnerability??!!

Scferg

Scferg

vbgamer45

Scferg

Scferg

vbgamer45

Scferg

vbgamer45

Scferg

Grudge

Scferg

青山素子

Scferg

青山素子

Scferg